|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Recipe for 'Thin Domain 0' request
William (Andy) Smith wrote: I can attest that this works quite well. I have a domU acting as a router/firewall, and aside from having to hack the bridging script to support 3 nics, it worked without a problem.One particularly nasty thought is to have Host 1 and Host 2 each serve 'firewall' guest domains. We have one routing IP outside of our 'public' IP network, and our provider will allow us a second routing IP. I would need to prove the theory that I can isolate the NIC device and its traffic from Domain 0 and all other domains in a firewall application. The machine has 3 nics (internet, dmz, internal), and the dom0 boots up with an IP address only on the internal nic (eth1, eth2, xen-br1, and xen-br2 are all "up", but with no address assigned. The router domU is given access to all 3 nics: nics=3vif = [ 'mac=cc:cc:cc:cc:cc:19, bridge=xen-br0', 'mac=cc:cc:cc:cc:cc:20, bridge=xen-br1', 'mac=cc:cc:cc:cc:cc:21, bridge=xen-br2' ] while all the other domU's are only given access to the dmz nic. The router domU then runs pppoe (for DSL), and standard iptables natting and routing using the shorewall package, though any iptables based routing approach should work fine. This has been working quite stably for me for a while, starting with xen 2.0.4, then 2.0.5, and right now, unstable 3.0 as of a week or so ago. Let me know (on or off list) if you have any questions about this setup. -Tupshin _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |